Chinese Hacker Microsoft Whac-A-Moles Websites APT15 (“NICKEL”)



Microsoft issued another of its ‘look how smart we are’ press releases yesterday. He claims to outsmart the Chinese pirates he calls NICKEL.

Redmond researchers identified 42 websites allegedly used by the hacker group. Microsoft’s attorneys convinced a court to seize the sites, redirecting traffic to well servers managed by Microsoft, for analysis.

it is not the first time we’ve seen Microsoft try this tactic. In today’s SB Blogwatch, we wonder if this really feels good.

Your humble blogger has curated these pieces of blogging for your entertainment. Not to mention: Twisted Mariah.

Panda vixen, Royal Dragon

What is the craic? Kellen Browning Reports: “Microsoft Seizes 42 Chinese Hack Group Websites”:

One of the many "baseless attacks"
A federal court in Virginia … granted Microsoft’s request to allow its Digital Crimes Unit to take over the … websites, which were operated by a group of hackers known as Nickel or APT15. The company redirects website traffic to … Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s business.”

Nickel was attacking organizations in 29 different countries and using the information … “for intelligence gathering from government agencies, think tanks, universities and human rights organizations,” Tom said. Burt, Microsoft’s vice president for customer security and trust. … Microsoft did not name the organizations… targeted [but said] Nickel has targeted diplomatic organizations and foreign ministries in the Western Hemisphere, Europe and Africa, among other groups.

In July, the Biden administration accused the Chinese government of being responsible for a hacking campaign earlier this year that compromised a Microsoft email service used by some of the world’s largest corporations and governments. … The Chinese Embassy said at the time that the accusation was one of many “baseless attacks.”

And Dan Goodin adds: “Move allows Microsoft to intercept traffic that infected devices send to hackers’ servers”:

abyss
Nickel has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-halted intelligence campaign since 2019. … Names other security researchers use for Nickel include “KE3CHANG”, “APT15” , “Vixen Panda,” “Royal APT” and “Playful Dragon”.

With control of Nickel’s infrastructure, Microsoft will now “absorb” the traffic, which means that it is diverted from Nickel’s servers and to servers operated by Microsoft. [This] was the company’s 24th lawsuit against threat actors [using] the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and US Trademark Law, as a means of entering domain names.

Who, how, what and why? Microsoft PR managers look after MSTIC and DSU researchers – “NICKEL targeting government organizations”:

Exfiltration
As China’s influence in the world continues to grow and the nation establishes bilateral relations with more countries and expands partnerships in support of China’s Belt and Road Initiative, we believe that China-based threat actors will continue to target government, diplomatic and NGO clients. sectors to gain new knowledge, possibly for economic espionage or traditional intelligence gathering.

MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access devices and services. After a successful intrusion, they used credential dumpers or thieves to obtain legitimate credentials, which they used to gain access to victims’ accounts. NICKEL players created and deployed custom malware that allowed them to maintain persistence.

NICKEL used compromised credentials to log into victims ‘Microsoft 365 accounts through normal browser connections and the old Exchange Web Services (EWS) protocol to examine and collect victims’ emails. … In several observed cases, NICKEL has been seen to carry out regular data collection for exfiltration purposes.

Well done Microsoft? SplatMan_DK damns with slight praise:

Here is hoping
An impressive feat, with a lot of interesting data to come from it.

Hopefully Microsoft will share some of his ideas with the security community at large. Unfortunately, this is not always a common trend in the industry. … Hopefully, security researchers weigh more heavily at Microsoft than product managers at Intune, Azure Sentinel, and Defender.

Speaking of Azure, this anonymous coward is not a fan:

If only Microsoft would do something about the abuse of their Azure platform. They have countless different abuse services, and of course Whois information usually doesn’t provide the correct abuse contact information.

However, Freischutz is more favorable:

It’s not as if the people who have suffered it don’t deserve it. … Microsoft seems to be doing a better job here than all the US three-letter agencies put together, which might have something to do with Congress (D&R) sitting with its collective thumbs up its collective **** fighting culture wars on Twitter instead of ruling the country.

As for criticizing Congress, deet is suitable:

It is a commercial interest responding to a commercial threat. The policy is irrelevant until governments, not just Microsoft, do something about it.

But this “digital crime unit” seems rather disturbing. Tromos agrees:

I would be much happier if MS had a Prevention of the Digital Crimes Unit. As it stands, it looks like they’ve set up a unit to produce digital crimes, but let’s leave that to the Windows development team.

During this time, @ Ymer31214745 jokes thus:

So I guess Microsoft will not be doing business in China in the future?

And finally:

it’s still her

Hat tip: nospoon

Previously in And finally


have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites… so you don’t have to. Hate mail can be addressed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Sauce in the image: Pascal Müller (via Unsplash)



Previous 14 events to discover in the next two weeks | Announce
Next Updated plans to redevelop St Christopher's as a retirement community have been unveiled. But some locals still need to be convinced.